Cryptocat for iPhone and Android – Call for Review

You know that using a .cat domain for something not related to Catalan culture or language is not allowed by the conditions established by ICANN and Fundació puntCAT?<p>You have only translated the main page (with Google Translator...) to make it look like you have some Catalan content there. That&#x27;s naughty.<p>&quot;In order to be granted a .cat domain, one needs to belong to the Catalan linguistic and cultural community on the Internet. A person, organization or company is considered to belong if they either:[4]<p><pre><code> 1. already have content in Catalan published online. 2. have access to a special code (sometimes called ENS), issued during special promotions or by agreements with certain institutions. 3. develop activities (in any language) to promote the Catalan culture and language. 4. are endorsed by 3 people or 1 institution already using a .cat domain name.&quot; </code></pre> Read more about it: <a href="http://en.wikipedia.org/wiki/.cat" rel="nofollow">http:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;.cat</a>

Easy to be snarky about this. But I admire their persistence.<p>In the face of the extensive criticism they could have just given up.<p>Instead they have acknowledged making mistakes, didn&#x27;t give up, learnt from the mistake and changed their subsequent behavior. This is admirable.

I will say from skimming over the source tree the amount of code in CryptoCat(android) is surprisingly light. This is very refreshing compared to other chat applications which are unnecessarily huge.<p>Will be definitely going over this later.

If your multiparty protocol is actually something you want scrutinized, why not follow the accepted model and make a c library reference implementation and release a research paper outlining the basis for your design decisions?<p>&quot;Hey guys, here&#x27;s the code, file some bugs for software that is of no use for you to spend time auditing&quot; is pointless.<p>Adium has an incentive to read the libotr sources. Every user has a small incentive to read kernel sources.<p>Nobody has any meaningful incentives to read the cryptocat homebrew multiparty cryptosystem except the few you&#x27;ve paid to do so. This is cargo cult peer review; it looks like you&#x27;re doing it but it doesn&#x27;t actually yield the intended results.<p>PS: glad to see you switched to OTR for two party. You should have done that years ago, but at least you wised up in the end. Hopefully nobody got killed or tortured in the process.

And why the hell should i use a app that is written by know poeple that prooven they have no clue about crypto? Why shouldn&#x27;t i use one of the many apps that support OTR?

Glad that they&#x27;re taking security seriously. It&#x27;s a sharp difference from how they used to do things[1]. However, I&#x27;d still like to see either an explicit bug bounty (there&#x27;s one implied here) or a paid audit.<p>[1]: <a href="http://blog.cryptographyengineering.com/2013/03/here-come-encryption-apps.html" rel="nofollow">http:&#x2F;&#x2F;blog.cryptographyengineering.com&#x2F;2013&#x2F;03&#x2F;here-come-en...</a>

can you give some screenshots or videos of the fingerprint showing mechanism?<p>My biggest concern with cryptocat is that this info is kind of hidden and not bubbled up to the user.<p>In the web version, the way its handled makes it possible for the server operator to replace who you are talking to mid-conversation without warning unless you click a fingerprint button before and after every message you send which nobody is going to do<p>I know there is an issue for this on the web version ( <a href="https://github.com/cryptocat/cryptocat/issues/463" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;cryptocat&#x2F;cryptocat&#x2F;issues&#x2F;463</a> ), just wondering if the mobile ones take a different approach.

How are you guys going to get Cryptocat on the iPhone app store? Apple rejects GPL-licensed apps.

So there&#x27;s a DC hackathon[0] taking place this weekend, and Cryptocat is on the list of projects to work on.<p>I imagine the Android and iOS apps would be ripe targets for bug finding adventures, but are there any places specifically that could use the kind of scrutiny that such an event could provide?<p>[0] - <a href="http://www.eventbrite.com/e/dc-internet-freedom-hackathon-tickets-9306081741" rel="nofollow">http:&#x2F;&#x2F;www.eventbrite.com&#x2F;e&#x2F;dc-internet-freedom-hackathon-ti...</a>

Man they are a glutton for punishment.